Security News > 2021 > June > SonicWall ‘Botches’ October Patch for VPN Bug
UPDATE. An October patch for a critical remote code execution bug in a SonicWall VPN appliance turned out to be insufficient.
SonicWall originally patched the stack-based buffer overflow vulnerability in the SonicWall Network Security Appliance, tracked as CVE-2020-5135, back in October.
"SonicWall is active in collaborating with third-party researchers, security vendors and forensic analysis firms to ensure its products meet or exceed expected security standards. Through the course of this practice, SonicWall was made aware of, verified, tested and patched a non-critical buffer overflow vulnerability that impacted versions of SonicOS. SonicWall is not aware of this vulnerability being exploited in the wild. As always, SonicWall strongly encourages organizations maintain patch diligence for all security products."
Abramov and Young both reported the bug to SonicWall around the same time in late September, and the company gave Young a date of Oct. 5 for a patch to resolve the problem.
After the patch was released, Young tested a SonicWall VPN on Microsoft Azure to confirm how it responded to a proof-of-concept exploit he'd devised for the flaw and found that it was still vulnerable.
Ultimately, it would take until this Wednesday, June 22, before SonicWall would publicly post the advisory for the updated patch to the vulnerability, Young wrote.
News URL
https://threatpost.com/sonicwall-botches-critical-vpn-bug/167152/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-12 | CVE-2020-5135 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Sonicwall Sonicos and Sonicosv A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. | 9.8 |